Abstract
Elliptic curve cryptographic algorithms convert input data to unrecognizable encryption and the unrecognizable data back again into its original decrypted form. The security of this form of encryption hinges on the enormous difficulty that is required to solve the elliptic curve discrete logarithm problem (ECDLP), especially over , . This paper describes an effective method to find solutions to the ECDLP by means of a molecular computer. We propose that this research accomplishment would represent a breakthrough for applied biological computation and this paper demonstrates that in principle this is possible. Three DNA-based algorithms: a parallel adder, a parallel multiplier, and a parallel inverse over are described. The biological operation time of all of these algorithms is polynomial with respect to . Considering this analysis, cryptography using a public key might be less secure. In this respect, a principal contribution of this paper is to provide enhanced evidence of the potential of molecular computing to tackle such ambitious computations.
1. Introduction
This paper proposes theoretical work that introduces powerful algorithms of molecular computation that could potentially compromise the security that is afforded by certain cryptography algorithms. Molecular computation [1] involves biochemistry and DNA rather than silicon chips to tackle formidable computations. Theoretical aspects of this interdisciplinary field are important to develop the potential and interest in this form of computation [2].
Elliptic curve cryptography (ECC) is a mathematical approach to public key cryptography using elliptic curves that are typically defined over finite fields [3]. Elliptic curves [4, 5] constitute a major area of current research that is particularly important to number theory, for example, elliptic curves had a role in the recent proof of Fermats last theorem. As applied to cryptography, not only has ECC become applied in Diffie-Hellman key exchange but also in the digital signature algorithm (DSA), a US federal government standard for digital signatures. It is known as the elliptic curve DSA (ECDSA) or that variant of the DSA operating on elliptic curve groups.
The security of these cryptosystems relies on the difficulty of solving the elliptic curve discrete logarithm problem [6, 7]. If is a point with order on an elliptic curve, and is some other point on the same curve, then the elliptic curve discrete logarithm problem is to determine an such that , where is an integer and . If this problem can be solved efficiently, then elliptic curve-based cryptosystems can be broken efficiently.
In order to tackle such a problem, Feynman proposed molecular computation in 1961 [8]. However, his idea was not implemented experimentally for some decades. In 1994, Adleman succeeded in solving an instance of the Hamiltonian path problem in a test tube, simply by the manipulation of DNA strands [1]. Following this, Lipton demonstrated that the Adleman techniques offered a solution to the satisfiability problem (the first considered NP-complete problem) [9].
Recent advances in molecular biology [10, 11] have made it possible to produce roughly DNA strands in a test tube. Those DNA strands can be made to represent bits of information. In a distant future, if biological operations may be run error free using a test tube with DNA strands, then it would be possible to process bits of information simultaneously. More details about test tube distributed systems are given in [2]. The objective for biological computing technology is to provide this enormous amount of parallelism for dealing with computationally intensive real world problems [12β14].
Advancement in DNA computing has already been made in many areas. In the field of cryptology, Boneh et al. have cracked DES using identical principles to those of Adleman's solution of the travelling salesman problem. Also, Chang et al. have developed a way to factor integers. They proposed three DNA-based algorithms: parallel subtractor; parallel comparator; and parallel modular arithmetic unit [15, 16].
In this paper, we take a step further with respect to Chang's work [16] in order to solve the elliptic curve discrete logarithm problem. We develop DNA-based algorithms for a parallel adder; a parallel multiplier; a parallel divider over (i.e., a Galois field of characteristic ); and a parallel adder for adding points on elliptic curves. We accomplish all of these by means of basic biological operations. We also showed that cryptosystems based on elliptic curves can be broken. Our work presents clear evidence of molecular computing abilities to accomplish complex mathematical operations.
The paper is organized as follows. Section 2 gives a brief background on DNA computing. Section 3 introduces the DNA computing that solves the elliptic curve discrete logarithm problem, for solution spaces of DNA strands. Conclusions are drawn in the final section.
2. Background
DNA (DeoxyriboNucleic Acid) is the molecule that plays the main role in DNA-based computing. DNA is a polymer, which is strung together from monomers called deoxyriboNucleotides. Distinct nucleotides are detected only with their bases, which come in two sorts: purines and pyrimidines. Purines include adenine and guanine, abbreviated A and G. Pyrimidines contain cytosine and thymine, abbreviated C and T. A DNA strand is essentially a sequence (polymer) of four types of nucleotides detected by one of four bases they contain. Two strands of DNA can form (under appropriate conditions) a double strand, if the respective bases are the Watson-Crick complements of each otherβA matches T and C matches G. Hybridization is a special technology term for the pairing of two single DNA strands to make a double helix and also takes advantages of the specificity of DNA base pairing for the detection of specific DNA strands (for more discussions of the relevant biological background, refer to [10, 11]).
In the past decade, there have been revolutionary advances in the field of biomedical engineering, particularly in recombinant DNA and RNA manipulating. Due to the industrialization of the biotechnology field, laboratory techniques for recombinant DNA and RNA manipulation are becoming highly standardized. Basic principles about recombinant DNA can be found in [17β20]. In the following, we describe five biological operations that are useful for solving the elliptic curve discrete logarithm problem.
A (test) tube is a set of molecules of DNA (a multiset of finite strings over the alphabet ). Given a tube, one can perform the following operations.
(1)Extract. Given a tube and a short single strand of DNA, , the operation produces two tubes and , where is all of the molecules of DNA in which contain as a substrand and is all of the molecules of DNA in which do not contain .(2)Merge. Given tubes and , yield , where . This operation is to pour two tubes into one, without any change in the individual strands.(3)Amplify. Given a tube , the operation Amplify , will produce two new tubes and so that and are totally a copy of ( and are now identical) and becomes an empty tube.(4)Append. Given a tube containing a short strand of DNA , the operation will append onto the end of every strand in .(5)Append-head. Given a tube containing a short strand of DNA, , the operation will append onto the head of every strand in .
3. Finding the Discrete Logarithm on Elliptic Curve over
3.1. Elliptic Curve Public Key Cryptosystem over
An elliptic curve is defined to be the set of solutions to the equationwhere and , together with the point on the curve at infinity , (with homogeneous coordinates ).
The points on an elliptic curve form an Abelian group under a well-defined group operation. The identity of the group operation is the point . For a point on the curve, we define to be , so . Now suppose and are not , and . Let be as above and , then , where (refer to [21]).
In this paper, for convenience, use to denote the value of over .
Let be an elliptic curve defined over , and let be a fixed and publicly known point. The receiver chooses randomly and publishes the key , while keeping itself secret. To transmit a message to , user chooses a random integer and sends the pair of points . To read the message, multiplies the first point in the pair by his secret , and then subtracts the result from the second point in the pair. So, if a breaker can compute from public key and , he can decrypt any encryption sent to (refer to [3]).
3.2. The Construction of a Parallel Adder over
Over , the additive operation on two numbers is just doing XOR on each bit, respectively, without any carry. For instance, . For every bit , two distinct 15 base value sequences are designed. One represents the value zero for and the other represents the value one for . For convenience, we assume that denotes the value of to be one and denotes the value of to be zero. The following algorithm is used for parallel adding two bits binary number in a strand with one starts from the th bit and the other one starts from the th bit and appending the result from th bit (see Algorithm 1).
|
Consider that , , and . That is, two binary numbers to be added in parallel are both 3 bits, while one from the 1st bit and the other one from the 4th bit in a strand, and βappendβ operation starts from the 7th bit. We then suppose, tube which is regarded as an input tube for the algorithm ParallelAdder . Because the value of is 3, step (1a) to step (1f) will be run 3 times. After the first execution of step (1a) is finished, and . Next, after the first execution of step (1b) and step (1c) is performed, , , , and , while . After first execution of step (1d) is run, tube and . After first execution of step (1e) and step (1f) is run, . Then, after the rest operations are performed, the result of tube is shown in Table 1.
Lemma 1. The algorithm ParallelAdder is applied to finish the function of a parallel adder.
Proof. The
algorithm ParallelAdder is implemented
by means of the extract, merge, and append operations. Each execution of step
(1a) is used to produce two tubes and , where all of the molecules of DNA in contain and all of the
molecules of DNA in contain . Each execution of step (1b) and step (1c) is used to
produce four tubes , , , , where all DNA strands in contain and , all DNA strands in contain and , all DNA strands in contain and , and all DNA strands in contain and . According to the additive theorem over , the th bit of the
sum in and is 1 and the th bit of the
sum in and is 0.
From ParallelAdder , it takes extract
operations, merge
operations, append
operations, and 9 test tubes to finish parallel addition. A value sequence for
every bit contains 15 bases. Therefore, the algorithm will add bases to all
DNA strands in tube .
3.3. The Construction of a Parallel Multiplier over
Over , the multiplicative operation runs as follows:
The algorithm ParallelMultiplier is used to multiply two bit binary numbers on every strand in parallel with one starts from the th bit and the other one starts from the th bit. It runs as follows: at first, employ extract operation to form two tubes: and . The first tube includes all of the strands on which and the second tube includes all of the strands on which . Then, we copy the bits from th to th to the end of every strand in tube and append bits 0 to the end of every strand in tube . After these operations, the th bit to th bit show the coefficients of to . Using the same principle, we get the coefficients of to , to to . At last, call algorithm ParallelAdder to compute the sum of coefficients of , the sum of coefficient of and so on. As a result, the length of every strand will increase bits.
From ParallelMultiplier , it takes extract operations, merge operations, append operations, and test tubes to finish the function of a parallel multiplier.
3.4. The Construction of a Parallel Shifter for Multiplicative Result
Because over , the exponent of cannot be beyond , the result of parallel multiplying should be shifted by a certain irreducible polynomial, called primitive polynomial: . The algorithm ParallelShifter , representing that the multiplicative result starts from the th bit, is used to parallel shift the multiplicative result to legal form over which can be designed as follows: appends the primitive polynomial's coefficients from to to the end of every strand at first. Employ the extract operation to form two test tubes and . Tube includes all of the strands on which and tube includes all of the strands on which . Then, we add the coefficients, from item to item , to the coefficients of irreducible polynomial in parallel in tube . This forms the new coefficients from to and has deleted the item. The coefficients from to are without any change. For the includes all of the strands that have , so just copy the coefficients from to without any change. After all the executions before are run, the highest exponent of is reduced to . Then, merge and and begin new reduction. The principle of rest reducing turn is all like this above. When this algorithm is run out, the highest exponent of is reduced to . This algorithm will totally append bits more to every strand.
From ParallelShifter , it takes extract operations, merge operations, append operations, and test tubes to finish the function of a parallel shifter.
3.5. The Mathematical Principle of Division on
Over , to do a division operation for a dividend and a divisor, one should get the divisor's inverse first and then multiply the dividend. For the primitive polynomial is irreducible, there exists a polynomial and a polynomial that fit the equation (according to Euclid algorithm):
Because , , which is to say is the inverse of the divisor. To find and , one can do as follows, which is called Euclid algorithm, also called division algorithm; first, is divided by the divisor. If the value of the remainder is 1, that is to say, with is the division result and the inverse of divisor has found which is ; else let remainder be , let the divisor be the dividend and be the divisor and do division operation again. Repeat the process until the remainder is 1. Because the highest exponent of of remainder reduces by 1 in each repeat, it is at most repeating times. So in the first time division, the dividend is bits and the divisor is bits and the remainder is at most bits, and in the second time division the dividend is bits and the divisor is bits and the remainder is at most bits and in last time division the dividend is 3 bits and the divisor is 2 bits and the remainder is 1 bit. Then, trace back to get the .
3.6. The Construction of a Parallel Comparator
Prior to each step of long division, comparison should be done first. Suppose the divisor is bits at that time. At first compare the first two bits of dividend with divisor to determine that addition operation between first two bits of dividend and divisor should be done or not, then compare the first three bits of result with divisor compare the first bits of result with divisor, the last time (finally), compare the last bits of result with divisor for this time the first bit of result is 0. The following algorithm is used to compare the divisor which is from th bit to th bit with the bits from th bit to th bit in parallel, and forms tube and . contains all strands on which add execution will be done and contains all strands on which add execution will not be done (see Algorithm 2).
|
Lemma 2. The algorithm Parallel Comparator is applied to finish the function of parallel comparator.
Proof. If , that means the bits of divisor is more than the bits
of the result which are intended to compare this time. Step (1) considers the
excessive bits of divisor and if any one bit is 1, which means the divisor is
βbigger" than the bits of the result which are intended to compare this
time and pour the strands to . Step (2) considers the rest of the bits of divisor
and the bits of result which are intended to compare this time. contains all
strands on which certain bit of divisor is 1 and corresponding bit of the
result is 1; contains all
strands on which certain bit of divisor is 1 and corresponding bit of the
result is 0; contains all
strands on which certain bit of divisor is 0 and corresponding bit of the
result is 0; contains all
strands on which certain bit of divisor is 0 and corresponding bit of the
result is 1. So add execution can be done over strands in and , which can not be done over strands in , and strands in need more
consideration.
From ParallelComparator , it takes extract
operations, merge
operations, and test tubes to
finish the function of a parallel comparator.
3.7. The Construction of a Parallel Long Division
Suppose the divisor is bits and is from th bit and the dividend is bits and is from the th bit in each strand. To do the long division, first compare the divisor with first two bits of dividend using ParallelComparator to get the first bit of the result of division and note down the result of first time addition result. Then, compare the divisor with the first three bits of the addition result last time to get the second bit of the result of the long division, and note down the addition result. Finally, compare the divisor with the last bits of addition result last time to get the last bit of division result and the remainder (see Algorithm 3).
|
Lemma 3. The algorithm SimilarDiv is applied to finish the function of parallel long division.
Proof. Each
execution of step (1) is to get each bit of the long division result. The rest
part is to get the last bit of the long division result. Consider the first
cycle of step (1), step (1a) compares the divisor with the first two bits of
the dividend, and form two tubes and that contains all strands
on which add execution can be done, contrarily the . Step (1b) appends 0 to all strands in and appends 1
to all strands in . This bit is the first bit of the division result.
Step (1c) just finishes to append the dividend in tube . Step (1d) adds the divisor and the first two bits of
the dividend in . Step (1e) copies the rest of the bits of the dividend
in . Step (1f) pours and together and
finishes the first execution of step (1) to get the first bit of the division
result and the first time addition result. The second execution of step (1) is
to compare the divisor with the first three bits of the addition result last
time and get the second bit of the division result. The principle of other
cycles and the rest of the steps are similar to the principle above. The length
of each strand will reach to bits when this
algorithm is run out.
From SimilarDiv , it takes extract
operations, append
operations, merge operations,
and test tubes to
finish the function of a parallel long division.
3.8. The Construction of Parallel Traceback
Suppose the irreducible polynomial and suppose and satisfy that , for the purpose of finding the divisor's inverse, , we need to do sometimes long division introduced in Section 3.7; let be the dividend and divisor mentioned above be the divisor in first time and suppose the result is , and if the remainder is 1, then the division result is . Else, let the divisor last time be the dividend and let the remainder last time be the divisor and do the long division. Suppose the result is and , if the remainder is 1, the is . Else, let the divisor last time be the dividend and let the remainder last time be the divisor and do the long division. Suppose the result is and , if the remainder is 1, the is . Generally speaking, we need to trace back after long division each time: first time, the tracing result is the division's result; the second time, the tracing's result is the sum of 1 and the product of the division's result and the tracing's result last time; from the third time, the tracing's result is the sum of the tracing's result last second time and the product of the division's result and the tracing's result last time. The following algorithm is used to do tracing operation from the third time in which , , and mean that the tracing's result last second time is from the th bit and the last tracing's result is from the th bit and the division result is from the th bit (see Algorithm 4).
|
Lemma 4. The
algorithm TraceBack is used to
trace back after long division from the third time in order to get the
divisor's inverse.Proof. In
this and following procedures, , which represent the total number of increased bits
when ParallelMultiplier and
ParallelShifter are called.
Step (1) is used to multiply the last tracing's result from th bit to the
long division result from th bit in
parallel. The result will be from the th bit to th bit. Step
(2) is to shift the result of multiplication to legal form which will append bits to every
strand. And its result is from th bit to th bit. Step
(3) is used to add the result to the last second time's tracing's result in
parallel.
From TraceBack , it takes extract
operations, append
operations, merge
operations, and test tubes to
finish the function of tracing back.
3.9. The Construction of a Parallel inverse
From the algorithms introduced above, we can find divisors' inverses in parallel as follows: first pick out the strands on which divisor equals to 1. Then, let the primitive polynomial be the dividend and the divisor be the divisor and do long division. Trace back to get the tracing's result first time and pick up the strands on which the remainder equals to 1 and store them in tube . Then, let the divisor last time be the dividend and the remainder last time be the divisor and do long division. Collect the quotient and trace back. Pick up the strands on which the remainder equals to 1 and store them in tube these executions, including long division, collecting every bit of the quotient and tracing back, are run times at most. In the following algorithm, the parameters and mean that the divisor is bits and it starts from th bit in every strand. The last parameter is used to represent that each strand in tube is bit long and we begin append operation from th bit of every strand.
Among the algorithm, the procedure Picking is used to pick out the strands on which the th bit to the th bit are all 0 and the th bit is 1 and store them in . It is easy to program, so just omitted here (see Algorithm 5).
|
Lemma 5. The
algorithm ParallelInverse is applied to
find inverses over in parallel.Proof. Step
(2) is used to append bits
irreducible polynomial, which is the dividend in first long division, to every
strand. The execution of step (3) calls the algorithm SimilarDiv to finish long
division. Now the length of strands is added up to bits. Step (4)
finishes the function of collecting every bit of quotient and will add bits to every
strand. This is the first time tracing result. Step (5) calls the procedure
Picking to pick out the
strands on which the remainder is 1 and store them in tube . Step (6) finishes the operation of appending the
dividend, which is divisor last time, to the strands. Note that . Step (7) calls the algorithm SimilarDiv to accomplish
the second time long division. Step (8) employs the append operation to append
a bit 0 in order to make the quotient to be bits. Step (9)
finishes the function of collecting every bit of quotient and will add bits to every
strand. Steps (10) and (11) call the algorithm ParallelMultiplier and
ParallelShifter . Step (12) is used to add 1 to the product. These
three steps accomplish the function of tracing back of the second time. Now the
length of every strand is . Step (13) calls the algorithm Picking to pick out the
strands on which the remainder is 1 and store them in tube . One execution of step (14) finishes the function of
long division and tracing back and picking out the strands on which the
remainder is 1. The step will be looped times, because
the long division should be done times to make
sure that the remainder of each strand equals to 1 and long division has been
done twice before. Note that while , . Step (15a) is used to append certain bits 0 to each
tube to make sure
that strands in to are all bits long. Step
(15b) is used to append the inverse gotten before to the last of every strand
in to . Step (18) pours strands in all tubes together to one
tube . From all above, getting inverse one time needs
increasing bits to every
strand.
From ParallelInverse , it takes extract
operations, append
operations, merge
operations, and test tubes to
finish the function of finding inverse in parallel.
3.10. The Construction of a Parallel Divider
To do a division operation on , first one should calculate divisor's inverse using above mentioned algorithm then multiply the dividend. The following algorithm is used to finish the function of parallel division over where the dividend begins with the th bit and the divisor begins with the th bit, and current bit is the th bit (see Algorithm 6).
|
Lemma 6. The
algorithm ParallelDivision is used to
finish the function of parallel division over .Proof. Step
(1) calls the algorithm ParallelInverse to get the
divisor's inverse of every strand. The length of every strand is bits now with
the inverse from th bit to th bit. Step
(2) calls ParallelMultiplier to finish the
function of the inverse being multiplied by the dividend every strand with the
dividend starting from the th bit. Now the
length of each strand adds up to bits. Step (3)
shifts the product by calling ParallelShifter and will add bits to every
strand. Generally speaking, doing parallel division one time need increasing the
strands bits.
From ParallelDivision , it takes extract
operations, append
operations, merge
operations, and test tubes to
finish the function of parallel division.
3.11. The Construction of a Parallel Adder of Two Points on Elliptic Curve
By far the addition, subtraction (the same to addition), multiplication, and division operations over have been solved. Now consider how to execute addition of two points on an elliptic curve in biological ways. We should consider five different cases: case 1, the first point is and the point of sum equals to the second point; case 2, the second point is and the point of sum equals to the first point; case 3, one point is the inverse of the other one, and the point of sum is ; case 4, one point equals to the other one, and computes the sum as the formula in part 3.1; case 5, computes the sum using the formula in part 3.1.
The algorithm AddTwoNode is used to add two points. The first one's position starts from the th bit and position starts from the th bit, and the second one's position starts from the th bit and starts from the th bit. The parameter represents the current bit. In the procedure, it calls Picking01 to pick out the strands on which the first point is and store them in , Picking02 to pick out the strands on which the second point is and store them in , PickingInverse to pick out the strands on which one point is the inverse of the other one and store them in tube , and PickingEqual to pick out the strands on which one point equals to the other one and store them in tube . These four algorithms are easy to design, so omitted here. Note that PickingInverse will increase bits to every strand in (see Algorithm 7).
|
Lemma 7. The
algorithm AddTwoNode can compute the
sum of two points on elliptic curve.Proof. Step
(5) employs append operation to append bits 0 to all
strands in tube . Step (6) to step (8) are operations on tube to get of strands in . Step (9) to step (13) are operations on tube to get of strands in . Step (14) pours and to and the length
of every strand in now is bits. Step (15)
to step (21) accomplish to compute the position of point of sum
and the result is from th bit. The
execution of steps (22) to (26) is used to get the position of the sum
which equals to . And now, the position of the sum is
from th bit and the
length is bits.
Steps (27) and (28) are applied to append the value
of positions and of the sum of
two points to the last of every strand. Now, the length of every strand in is bits with the
value from the th bit and from the th bit.
From AddTwoNode , it takes extract
operations, append
operations, merge
operations, and test tubes to
finish the function of a parallel adder for points on elliptic curve.
3.12. Breaking the Elliptic Curve Cryptosystem
We have constructed the algorithm above for parallel computing the point of the sum of two points. Then, we can solve elliptic curve discrete logarithm problem as follows: consider point and are given, and is what we want to get which matches . First, we amplify into two tubes and add in one tube. Check if equals to ; if not, note down the value of and pour two tubes together. Then, amplify the tube into two tubes and add in one tube. Check if any point equals to ; if not, note down the value of and pour two tubes together, or we get the value of . Then, amplify the tube into two tubes and add in one tube while this loop executes times, the value from 1 to for will have been checked, and the elliptic curve cryptosystem has been broken by the solved elliptic curve discrete logarithm problem.
4. Conclusion
This paper is the first effort in literature that demonstrates that the difficult problem for elliptic curve discrete logarithm can be solved on a DNA-based computer. While Chang's work makes great progress in application of DNA computing in cryptoanalysis [16], which is breaking RSA by factoring integer, this paper proposes application of DNA computing in another popular cryptosystem, ECC, which is more complex and has more challenge in cryptoanalysis. Though the algorithm is somewhat complex, it takes a series of steps that is polynomial in the input size, so it is feasible in theory and inspirits the development of DNA computing. Simultaneously, the paper also shows that humans' complex mathematical operations can directly be performed with basic biological operations. The property for the difficulty of elliptic curve discrete logarithm is the basis of elliptic curve cryptosystems. However, this property seems to be incorrect on a molecular computer. This indicates that the elliptic curve cryptosystems are perhaps insecure if the technique of DNA computing is skillful enough to run the algorithms efficiently as discussed in this paper.
Acknowledgments
The authors thank Daniel Howard (QinetiQ, Malvern Technology Centre, UK) for his great efforts in correcting this paper. This work is supported by National Natural Science Foundation (60603053) of China.